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Bluetooth Locks 
(and an update on the X-09) 








by mh, in cooperation with Ray 


2019-10-25 
LockCon 2019, Baarlo, NL 


[V1.1 as of 2019-11-05 with some updates that were added after LockCon 2019.] 


Disclaimer: The opinions expressed here are those of the author only; the author is not affiliated with 
the lock manufacturers in any way; the lock manufacturers or the author's employers have nothing to 
do with this presentation. All trademarks are the property of their owners. The information was 
derived only from the analysis of single locks and might be incomplete and / or might contain errors. 
The author gives no warranty and accepts no liability whatsoever concerning this presentation. 
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LOCKCON gi What This Presentation Is About 


e Smart devices using Bluetooth Low Energy 
e How to analyze / hack / improve them 
e Vulnerabilities we found that way, from cheap 


padlocks to hotel door systems 


e An update on the X-09 high security lock 
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Bluetooth Low Energy (BLE) Ecosystem 
How to Analyze BLE Systems 


1. 

2. 

3. Previous Vulnerabilities 

4. BLE Hotel Keys 

9. Responsible Disclosure 

6. X-09 Side-channel Attack”? 
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LOCKCON jj BLE Locks 





Components of a Smart’ Lock Ecosystem: 


http / 
BLE https 





Smartphone Internet 
App 
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LOCKCON di BLE Locks - Attack Vectors 


Connections: sniffing, machine-in-the- "D Impersonation 
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LOCKCON gë Getting the BLE Traffic 


e On your own device, log traffic locally: 


o Android: enable debug mode, 
activate HCI snoop log 


o IOS: install Apple Bluetooth 
Debug Certificate on your device 
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LOCKCON df Getting the BLE Traffic 


e Now use the app and Interact with 
the device 


e Note timestamps of Important 
actions (like “open lock”) 


e Get HCI log from phone 


e Analyze using tools like VVireshark 
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‘()\btatt.handle>=0x0 


interface w 





No. Time Info 
56.70. mese 18 Rcvd Handle Value No: 
58.70... TexasIns KE 12: :01.. localhost () ATT 10 Rcvd Write Response, 


» Frame 845: 18 bytes on wire (144 bits), 18 bytes captured (144 bits) 
» Bluetooth 

» Bluetooth HCI H4 

» Bluetooth HCI ACL Packet 


Length: 9 
CID: Attribute Protocol (0x0004) 
» Bluetooth Attribute Protocol 









Aincode" l a Kedie 0x12 
» Handle: 0x0029 (Unknown: Unknown) 
Value: 55410027dbe8 
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LOCKCON 8 oniffing BLE 


e For real attacks, sniff BLE over the air 


e 3 advertising channels, need to listen to 
the active one to catch a connection setup 


e USB BLE sniffers ~$25 
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LOCKCON gif” Classic Sniffing Tools 





e Adafruit Bluefruit LE Sniffer or Ubertooth One 

e Support Wireshark live view 

e Can monitor only 1 advertising channel 
at a time, follow sequence 

e OK for proof of concept, for 
reliable attacks you need more 
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LOCKCON gi Our Favorite Tool: btlejack 
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e btlejack by Damien Cauquil EM 


a 1 


e Firmware for cheap BLE USB devices: 
BBC Micro:Bit, BLE400, Adafruit Sniffer 
e Use 3 devices and follow all advertising 


channels in parallel 
e Much more than just sniffing: hijacking, ... 


LockCon 2019 - Kasteel de Berckt, Baarlo, NL Ces : Í 





LOCKCON di Ray s Proof-of-Concept 





Ki 


" 
Le 





LockCon 2019 - Kasteel de Berckt, Baarlo, NL (nes, | 
Un Z 


LO 
e 
K 
6 
6 
1 
m 
al 
S 
S 
[fe 
ntly O 
pt 
im 
ya 
ed 
S 
et 
7 
e 





LO 
ckC 
on 
20 
19 
- Ka 
st 
e 
el 
de Be 
FCK 
t 
‚B 
aa 
rlo 
‚NL 
Ones 
Y 





€ ae 
e 





Lat TS New Tool: Mirage 





e Mirage by Romain Cayre 
e brings its own (hackable) BLE stack 

— more transparent MITM 
e MITM on one device only (good & bad) 
e Powerful and flexible framework 

— more difficult to use 
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Lock Smartphone Internet 
App 


How to Analyze 
the Backend Link 
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LOCKCON dé TLS MITM 


e Only few apps use plain HTTP 
e Add fake root CA to intercept TLS/HTTPS 
e MITM tools create certificates on the fly 


e lo analyze app, not to break other 
peoples TLS 
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LOCKCON Ta Using MITM CAs 


e |OS: just declare it as trusted 


e Android: 
o works easily up to 6.x, 
needs rooted device on >=/ 
o or modify app to use user cert store: 
add network security config to 
manifest (then rebuild, sign) 
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If the App Uses Certificate Pinning 
C TT 


MANDALAY BAY 


RESORT AND CASINO, LAS VEGAS 





Digital key is not supported at the 


moment, please visit the Front Desk moment, please VISIt the Front Desk 


to pick up your room key. (Code: 


Certificate pinning failure! to pick up your room key. (Code: 


Peer certificate chain: 


sha256/hc5POtL6A7NcihlioLd Certifi cate pi n n | ng fa | U rel 
XkWJEQYHrJFF70zZbZ/7utprg=: i 


ari ee ee EOS Pl AAA EEE E [A E aa l 





Tap to view Room Number 
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LOCKCON d$?  Ifthe App Uses Certificate Pinning 








e Try the other app (IOS vs. Android), 
or an older version Android app 


e Modify the app, rebuild, sign 


e Use Frida / objection EGIDA 


o Intercept calls in the app, ORTECTION 
a RUNTIME 
MOBILE 
EXPLORATION 
GIT.I0/ DETECTION 


or in the OS 
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LOCKCON di TLS MITM Tools 


e Unix command line: mitmproxy 
e macOS: Charles Proxy 


e Many more available, like Burp Suite or 
Fiddler 


LockCon 2019 — Kasteel de Berckt, Baarlo, NL Lien, À : 





"ins 


LOCKCON Lr y Example: mitmproxy 
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2016-12-26 04:33:20 https://nokeapp.com/ 
text/html 940b /62ms 
Request Response Detail 
text/html: charset-utf-8 
cbd3/952/2d60331a34ca3e03922c2/1 
Mon. 26 Dec 2016 04:57:55 GMI 
Google Frontend 
940 
close 
JSON [a: JSON 1 
1 
"lockcount": 2, 
"locks [ 
1 
"autounlock": "O", 
"battery": "196", 
"fobcodesavailable": "25", 
"fobcodesrefreshstate" : `` 
"foblocklinks": Ll. 
"foblocklinkscount": "Q", 
"lockid”: "38850", 
"lockkeu": "4063/020F41C", 
[6/7/11 :help q:back L[*:219841 
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a Smartphone Internet 


Analyzing the | 
Collected Data 
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LOCKCON d Example: Nokelock 





e Small, cheap BLE padlock 


e Company offers a large variety of locks ` 
(also for doors, cabinets, bikes, 
e-scooters...) 





Note: Research as of 2018, the app has been improved in the meantime. 
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LOCKCON gf Analyzing the Collected Data - HTTPS 





Unencrypted HTTP traffic: 
Sequence Overview Response 


> & https://www.gstatic.com { 
» (9 http://android.bugly.qq.com "type": d", . : . 
b © https://graph.facebook.com a — | ' 
v (3 http://app.nokelock.com:8080 } 
v «9 newNokelock i 
" Sequence Overview ^ Request Summary Chart Notes 


v B user 
© updateCid > & https://www.gstatic.com { 
"result": [{ 


| loginByPassword » (9 http://android.bugly.qq.com E ge as i 
0 getinfo > © https://graph.facebook.com vai: n DT 
4 . ` , 
ij updateCid v © http://app.nokelock.com:8080 "lockKey": "27,32,84,73,58,5,94,55,72,85,53,73,75,1,77,69", 


0 checkVersion ST l y: 
v (lock Y |. newNokelock "isAdmin": 0, 
2 "firmwareVersion": "5.0", 


0. getLockList v E user "type": 0, 
0. getLockList © updateCid "barcode": "XBA040000645", 


0 loginByPassword oes i inm 
1 , 


4| getinfo "mac": "C8:DF:84:2B:9C:2bE", 
© updateCid "account": "mh@tosl.org", 


0 checkVersion ya "gsmVersion": null 
, 


v (lock "status": "2000" 
0 getLockList } 
getLockList 
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LOCKCON gÈ 16 bytes “lockKey” 
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Sequence Overview Request es summary Chart Notes 
# https://www. gstatic. Com { 
©) http://android.bugly.qg.com "result": H 


©) https://graph.facebook.com name": "mh small", 


a http://app.nokelock.com:8080 


= newNokelock - = 
zb user "firmwareVersion": "UB". 





"type": 0, 1: 73 
` updateCid "barcode": "XBA040000645", 16 bytes lockKey 
3) loginByPassword "deviceld": "", 1B 20 54 49 3A 05 5E 37 

8 "lockPwd": "000000", 
O — "account": "mh@tosl.org", 


"gsmVersion": null 


E n n, — maybe AES-128? 


"status": "2000" 


O. getLockList } 
[B getLockList 
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LOCKCON gf Traffic Looked Random — Decrypt It 


Decrypt BLE traffic with AES-128 ECB 
— doesn't look random > Y 


or OR ON ee Le Ae Oe Hu nonae oou cm 
06 02 07 d4 9c ea ce 01 05 00 00 00 00 00 00 00 (lock > app) 
AA CNN CCAA O Brik OOS APP OCR) 
02 02 01 59 9c ea ce 01 05 00 00 00 00 00 00 00 (lock > app) 
E Ea uas USENET ecc dui p doc 
05 02 01 00 9c ea ce 01 05 00 00 00 00 00 00 00 (lock > app) 
05 Od 01 00 9c ea ce 01 05 00 00 00 00 00 00 00 (lock > app) 
DI o Or ES Me IE 3 valle Oe [dp eere 
05 02 01 00 9c ea ce 01 05 00 00 00 00 00 00 00 (lock > app) 
05 Od 01 00 9c ea ce 01 05 00 00 00 00 00 00 00 (lock > app) 
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Analyzing the Protocol 


(compare several sessions): 
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(dp owes OCR) 
(lock — app) 
DO OG) 
(lock => app) 
aos OG) 
(lock => app) 
(lock => app) 


(APOLO El) 
(lock + app) 
(lock + app) 
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LOCKCON gf Analyzing the Protocol 





Deduce protocol (from a few sessions): 


AUTH REQUEST COSO css late (o)1i lf er: foto li ate! app — lock 
AUTH RESPONSE (060207), 4 byte session ID, 0 padding lock — app 
STATUS REQUEST (020101), 4 byte session ID, |. | | | | ake eoru 


( ) 
( ) 
( ) 
STATUS RESPONSE (020201), batt state, 3 byte sess.ID, © padding (lock + app) 
( ) 
( ) 
( ) 


UNLOCK REQUEST (050106), passcode, session ID, . | bias app > lock 
UNLOCK ACK (050201), 3 byte session ID, 0 padding lock — app 
UNLOCK CONFIRM (050d01), 3 byte session ID, 0 padding lock — app 


— Session replay protection: 4 byte session ID created by the lock. 
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Next Steps 





Verify the findings, look for weaknesses. 

BLE protocol 

e Write SW that mimics the app, e.g. Python, bluepy or Adafruit BluefruitLE 
e Explore the protocol, use fuzzing techniques 

Whole system 

e Maybe an OEM uses the same key for all devices”? 


e Maybe the backend leaks other users keys? 
(when researching this, consider legal restrictions!) 
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LOCKCON ji^ ANBOUD Padlock 





e | ypical cheap BLE padlock 


e Shim-proof mechanics, but 
passcode transmitted in plain text 





e To our knowledge still unfixed 
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LOCKCON gf ANBOUD PWNED 


~ Bluetooth Attribute Protocol 
» Opcode: Write Request (0x12) 


» Handle: 0x0029 (Unknown: Unknown) 
Value: 55410827üBe8 


e Hex OxOZ27AB = Dec 010203 
e [hats the code | set on the lock 


e Original app can now be used 
to open lock with sniffed code 
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LOCKCON gi 12 14 of 16 locks vulnerable 





e Rose & Ramsey at DefCon 24 (2016) 


e 12 of 16 tested locks had simple BLE 
vulnerabilities 





e Only two of the padlocks remained unbroken 


e One of those we opened with a magnet, 
like its predecessor, … 
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[In the presentation we had a video showing 

how to turn the internal motor with a strong magnet. 

This PDF does not include the video, 

but you can get an idea from the video that's linked on the previous slide.] 
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LOCKCON gi 12 14 of 16 locks vulnerable 





e Rose & Ramsey at DefCon 24 (2016) 


e 12 of 16 tested locks had simple BLE 
vulnerabilities 





e Only two of the padlocks remained unbroken 


e One of those we opened with a magnet, 
like its predecessor, the other one ... 
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LOCKCON gf f NOKE Padlock (!= Nokelock) 





e One of the first BLE padlocks, $652,828 
created on Kickstarter in 2014 


e Note: Research applies to the original 
firmware from 2015-201 7 
(Our responsible disclosure 2016 led to 
a firmware update in 2017) 
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LOCKCON déi NO(KE) Security 


e Uses AES-128 cipher 


e Uses two different secrets for owner 
and other users 


e Time restrictions only enforced in app 
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LOCKCON df NOKE AES VULN 


e Secret Is transmitted using individual 
AES session keys 


e But session keys are created In a 
“secret handshake” using a hardcoded 


AES key 
e Security by obscurity 
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LOCKCON dg NOKE Session Key 





public createSessionkey 
createSessionKey proc near 


edx, byte ptr [esi+eax] 


dl, [edi+eax] 
[ecx+eax], dl 
eax, [eax+1] 
Pax, 4 

short loc 3F78 





...from binary .so file in APK 
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LOCKCON T NOKE KEX Broken 


app nonce: b14c68al 
XOR 
lock nonce: bff9lae4 
= |0eb57/245 
+ (add byte-by-byte modulo 256) 
(pre shared key) 


= [0001020304 |13bb794qd 090a0b0c0dO0eO0f| (new session key) 


New session key can now be used to decrypt transfer of the 
user s secret 
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LOCKCON gi Why BLE for Hotels? 


e Main purpose: self-check-in 


e No keycard anymore, mobile phone app Is 
the key 


e Hotels can reduce front desk staff 


e Guests don't have to wait in queue 
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LOCKCON gé Challenges for Vendors 


e Secure pairing not feasible 


e Old hardware in locks, not always 
online 


e Apps often made by 3rd parties, 
lock vendor just provides the SDK 
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LOCKCON gf Mobile Key 


e Booking linked to app account, 
or added by user (sometimes using 
weak credentials) 


e Online check-in 


e Mobile key is transferred from backend 
to app 
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Mobile Key Demo 
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[Video that shows how 
to use the mobile app 
at a hotel door. 

(The graphics in the 
mobile app was 
modified using 

SSL MITM.)] 
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Hotel “H” 
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LOCKCON gi Encrypted Mobile Key System 


e [he vendor has a secret key K., known to the lock 


e Backend to App: key K and encrypted key 
K* = enc,.(K) 


e App to Lock: K* 
e Lock uses K, to decrypt K* to K 


e Key K now known to App and lock, but not to an 
eavesdropper; K. still unknown to App 


e Further BLE traffic is AES-encrypted with Key K 
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LOCKCON f Encrypted Mobile Key System 





e Didnt find obvious attack vector, 
except for extracting K, from the physical lock, 


which we havent tried :) 
e No further experiments, because on the second stay, 
the mobile key system was deactivated. 





(ct Thomas, Blackhat USA 2014: Reverse-Engineering the Supra ¡Box 
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LOCKCON Ta Vulnerable System 


e Found system early 2019 in an upper 
class hotel 


e Mobile key used in elevator, rooms and 
fitness center 


e Analyzed TLS and BLE traffic 
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LOCKCON . Key from Backend 





2019-07-25 03:23:08 GE! https://app ‘api/vl/devices/mobile key/8f 
dcc/5e-a290-4633-9Tb8-865c94/2ba63 
- 200 OK application/json 702b 140ms 
Request Response Detall 
-Request-Id: 48dd45a5- /610-4ba3-a684-f5853f5696dd 
-Runtime: 0.047805 
trict-Transport-Security: max-age=31536000; includeSubDomains 
SON [n: Auto] 


"device token" 
"exp date": "2019-0/-25 00:00:00.000", 
"key type”: F 
“mobile key": { 
“da: "“2019-0/-25114:00+00:00", 
“dt”: | 
140, 
2, 
253, 
l, 
254, 
248, 
?:help q:back [*:21984] 
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Data seen from Backend (TLS) Data seen in HCI log (BLE) 


“dt | > Bluetooth HCI ACL Packet 
140, — » Bluetooth L2CAP Protocol 
v Bluetooth Attribute Protocol 
> Opcode: Write Request (0x12) 
» Handle: ©x000e (Unknown: Unknown) 
Value: 
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Full BLE [race 





Lock: 
Lock: 
App: 
Lock: 
App: 
App: 
App: 
App: 
Lock: 
Lock: 


0000 
000103001ec05d6bb5190707051b2b19e0 
00010200001200010101010101bbec98£3 
0001040104d612ffeafad012 
3000000000000044ca8c02fd01fef8fdf9 
31605803e9196317£b5b9e8c6e616b7ba6 
32ca06cfbc48c67697f0c34897948c218c 
33cf3f2a462f78d9c8874b6bb021b70034 
0002190707051b00090ca500000001a4£08 
0002 


Note: The description was slightly modified to protect the innocent not yet patched devices. 


= Key 
(all bytes from 
backend) 
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LOCKCON € Further Analysis 





Lock: 0000 





Lock: 000103001ec05d6bb5190707/051b2b19e0 = Lock MAC,CRC 

App: 00010200001200010101010101bbec98f3 = App Nonce, CRC 

Lock: 0001040104d612£feafad012 = Lock Nonce, CRC 

App: 3000000000000044ca8c02fd01fef8fdf9 = Special CRC, Key 

App: 31605803e9196317fb5b9e8c6e616b7ba6 (all bytes from 

App: 32ca06cfbc48c67697£0c34897948c218c backend) 

App: 33cf3f2a462f78d9c8874b6bb021b70034 

Lock: 00021907070515b00090ca500000001af08 = Lock confirmation: open 


LOCK: 0002 
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LOCKCON Ta CRC Reversing 





e [ools for CRC reversing are available, e.g. CRC RevEng 


e We just used a custom Python script and searched for 
CRC-16 parameters that matched in at least 2 messages, 
assuming the CRC is located at the end of a message 





Trying different polynomials and start values... 
Trying polynomial Ox2fl15... 
lees) 
Trying polynomial O. - 
Match found! Polynomial: € Seed: 0x73 Final XOR: Oxffff 
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LOCKCON éi CRC Reversing 


e Seed for CRC of first msg turned out to be a value 
received from the backend ("sc / constant within hotel) 


e Seed for CRC of next msg is CRC of previous msg 


e But for the most important part, the credential packet, 
the CRC calculation was more complicated: 


00 00 00 00 00 00 Oc 3b 8c 02 fd 01 fe, 9e f2 3b 


6 bvtes 2 bytes 5 bytes 3 bytes 
i changing each constant per constant per 
always zero 
session hotel stay 
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e So we had 1 block with the CRC obviously not at the end, 
some constant blocks, 6 zero bytes, 7 
and 16 changing bits 


e And 3 CRC-16 values and 2 session 
nonces to play with... 











e |... some playing around ...| 





V2 
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LOCKCON df CRC Reversing 





This intermediary byte sequence (and seed CRC3) 
84 3c, 45 £2, 88 40, 34 fl, 8c 02 fd Ol fe 9e f2 3b 


Se L 


noncel CRC1 nonce? CRC2 


vields the final CRC-16 value 0c3b. 


— Now we know how to create the credential packet: 
00 00 00 00 00 00 Oc 3b 8c 02 fd 01 fe 9e £2 3b 


vd ey 


overwritten CRC 
with zeroes inserted here 
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LOCKCON éi Preparing an Attack 


e Created a Python script 


o Input: Device name, credential bytes 
(as sniffed from previous opening) 


o Calculates CRCs, handles BLE 
communication (using bluepy) 
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[Video that shows 
how BLE data is 
sniffed off the air.] 
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LOCKCON Cé 4 Executing the Script 





| root@zawa mmk-unlock-master]# python mmk-unlock.py AHPKUJZL 130000000000000381a8c02fd01fef 

b5b9e8c6e6ló6b/ba6 32ca06cfbc48cóo/69/10c35489/948c218c 33cf3f2a462f/0d9c80/4b6bb021b/0034 

Derived from device name AHPKUJZL: SC == 115, Room Number == 323/ 

Extracted mobile key: 8c02fdOlfef8fdf96058036e919631/fb5b9e8c6e616b/ba6ca06cfbc48c6/69/f0c3 

od9c88/4b6bb021b/0034 

[*] scanning (35)... 
[-] Room 3236, SC 115, Additional Data 0, 156 (00:1le:c0:5d:/2:94, AHPKQJzb), RSSI=-88 
[-] Room 3237, SC 115, Additional Data 0, 156 (00:1e:c0:5d:6b:b5, AHPKUJzL), RSSI=-83 
[-] Room 3137, SC 115, Additional Data 0, 155 (00:1e:c0:5d:/3:e8, AHPEEJUC), RSSI=-94 
[-] Room 3337, SC 115, Additional Data 0, l15/ (00:le:c0:4f:32:f3, AHPQKJ0Q), RSSI=-9/ 

unlocking in progress... 

[1] Connecting... 

Initializing BLE peripheral class... 

Setting the delegate... 

MyDelegate registered 

Discovering the BLE service... 

Discovering the write characteristic... 


LockCon 2019 — Kasteel de Berckt, Baarlo, NL Cho | | 


[Video that shows 
how Ray opens the 
hotel room door 
with sniffed data. 
(He opened doors 
only with permission 
of an authorized 
user, no actual 
Breaking In 
happened!)] 


Video 3 
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LOCKCON gf Some more Scripting 


e Created test target (also Python script) 
o simulates a lock 


o handles BLE communication in the 
peripheral role (using pybleno) 


e Now we could play with this at home :) 
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Kele ee éi How Big Is the Problem? 


e Found more hotel chains using the product 


e BLE names are easy to check on-site, 
without actual room booking 





e After booking a room, we found an even 
simpler variation of the protocol deployed 
(the “final / special” CRC part Is left out) 
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LOCKCON éi Disclosure Timeline 


e 2019-04-18: First vendor notification, inmediate response 


e 2019-04-26: Technical details to vendor 
e 2019-05-02: Vendor questions feasibility 





e 2019-05-06: Proof of concept code sent 
e 2019-05-29: Vendor acknowledges vulnerability 
e 2019-06-28: Vendor discusses update plans 
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LOCKCON gii Update Plans and Challenges 





e Locks in our first hotel are online, can be updated 
remotely 


e Others need someone going from door to door with an 
update device 


e Multiple app vendors have to integrate the new SDK 


e Lesson learned: Identify all affected parties early 
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Do you remember this presentation’? 


The KABA MAS X-09™ 
High Security Safe Lock. 






| Hands-On Presentation at LockCon 2008. 


ie Netherlands, 10 Oct 2008, Michael U. Huebler. 


x», Ihe motor. Secure against 


=  bumping and vibration. 
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AN 
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Motor / gear plate assembly Slide drive gear 
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LOCKCON gé DEF CON 27 had a surprise... 





i3 REUTERS Business Markets World Politics TV More 


TECHNOLOGY NEWS AUGUST 6, 2019 / 9:58 PM / 3 MONTHS AGO 


Exclusive: High-security locks for 
government and banks hacked by 
researcher 


Joseph Menn 4 MIN READ 9 f 


SAN FRANCISCO (Reuters) - Hackers could crack open high-security 
electronic locks by monitoring their power, allowing thieves to steal cash in 
automated teller machines, narcotics in pharmacies and government 
secrets, according to research to be presented Friday at the annual Def Con 
hacking conference in Las Vegas. 
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v» Ihe electronic card 


Michael U. Huebler 


"" (back cover assembly). 
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LOCKCON Ln Y Easy to reproduce 
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R/W 


Read 
Read 


Read 
Read 
Read 


Read 
Read 
Read 


Write 


LOCKCON 


Addr 


0x00 
0x01 


0x81 
0x82 
0x83 


OxFD 
OxFE 
OxFF 


Ox0C 


Value 


0x55 
OxAA 





0x58 
0x99 
0x53 


Ox58 
0x99 
0x53 


0x00 


R/W 


Read 
Read 
Read 
Read 
Read 


(long pause while 


Addr 


Ox0A 
Ox0E 
Ox8A 
Ox8B 
0x07 


in “plain text’, but obfuscated 


Value 


0x00 
0x00 
0x00 
0x00 
0x00 


the combination 


is dialed) 
Read 0x00 
Read 0x01 
Read OxOF 
Read 0x10 
Read Oxll 


05455 
OKAA 


0x61 
0x84 
0x73 


R/W 


Read 
Read 
Read 
Read 
Read 
Read 
Read 
Read 
Read 
Read 
Read 
Read 
Read 
Read 
Read 
Read 


Addr 


OxI 
E 
SES 
E 
Oslo 
Ol, 
Opee 
OE) 
OxlA 
OXIE 
OE 
OID 
Ole 
OXIE 
0x20 
0x- 


Value 


Coal 
0x90 
DZ) 
0x7C 
Do SIE 
0x40 
0x09 
OSC 
0x5B 
gds 
0x90 
0x49 
Desch 
0x76 
0x61 
0x7C 


(Serial number of the X-09: 589953 — Combination: 12 34 56) 


R/W 


Head 
Head 
Head 
Read 
Read 
Read 
Read 
Read 
Read 
Read 
Read 
Read 
Read 
Read 
Read 
Read 


Addr 


DE 
QE S 
SESCH 
E 
0x26 
QEON 
ORS 
O29 
OXZA 
UE 
ESO 
0x2D 
DEA 
OA 
Ox30 
Qood 


However, the secret combination is not transmitted 


Value 


Ox0B 
0x82 
0x90 
se 
OxOD 
0x85 
0x51 
OxXC1 
0x92 
059510 
des 
Ox44 
DINE 
0x60 
DS M 
0x14 
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Thanks for your attention! 





Questions? 


Contact: mh@tosl.org 
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LOCKCON gé some Useful Links 





BLE exploration tool for your smartphone: 
https://apps.apple.com/app/lightblue-explorer/id557428110 / 
https://play.goodle.com/store/apps/details?id-com.punchthrouah.lightblueexplorer 








Modifying Android app manifest to make app trust user CAs 
httos://medium.com/@elye.project/android-nougat-charlesing-ssl-network-efa0951e66de 





Rebuild/Sign APK 
https://gist.github.com/AwsafAlam/f53312cbb912cf3e426 /a5971cd/5dbO 


JADX decompiler: 
https://github.com/skylot/jadx (Also can simply be done online: https://www.google.com/search?&q=online+jadx) 


If you are interested in locks and lock picking: 
https://toool.nl/Publications 
http://lockpicking.org (German) 
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